Why worst boss? I think it is fine if he is blocking Facebook in office.
–
Vinayak GargDec 26 '11 at 6:49

4

iptables works on... well.. "IPs". You'd have to block out all of facebooks webserver IPs. But it won't get you far if your users are then switching to proxy (either a normal proxy or a web-based).
–
vstmDec 26 '11 at 6:52

It does not matter whether they are using proxy or not. I need to block the domain name facebook. So that normally any of user cannot able to login into facebook. Can you please tell me how can i do this?
–
tanvirDec 26 '11 at 6:59

1

@meagar - the only way this qualifies as "worst boss" is in the sense they think there are technical solutions to behavioural problems. You (or for that matter, I) may not agree with how they want their IT resources to be used, but fundamentally its their resource and therefore their choice.
–
RobMDec 27 '11 at 0:17

7 Answers
7

If you're the boss:

Any technical solution to this problem will not solve the actual problem, which is people in your office being bored and wanting to browse facebook / look at porn / whatever instead of working.

This is a management issue, and needs to be resolved through the use of management tools, such as clear corporate acceptable internet use policies that detail clearly what is, and isn't acceptable, and what happens if they're broken. If a guy's using facebook all day rather than doing his job, don't block facebook, fire his ass*.

If you're the technical guy the boss has asked to do this:

This is really dodgy ground. You can't effectively censor the internet without a lot of resources, expertise and control. What will end up happening is that you'll implement some sort of hack (your iptables posting indicates you might not have all the expertise required to do this), your users will work around it and now you've got an angry boss who demands to know why you can't do your job right.

You need to set expectations with your management that while you can implement something given the resources and skills you have, it's probably not going to be effective and therefore a waste of your time.

Have to agree with this. If technical tools must be used at all, they should be in support of, not instead of, HR policy.
–
RobMDec 27 '11 at 0:20

This is exactly the answer my company went back to a client with recently who asked us to do the same (we manage their IT). If staff are wasting their time online it's totally a management issue. It's not feasible to drop in a solution like this ad-hoc either. If they really want a technical solution, hand them the costs for WebSense or similar, and the use manual on how to control the blacklists once it's set up.
–
SimonJGreenMar 5 '12 at 23:54

If your users are clever, then your task may be difficult to fully enforce, and iptables cannot easily and reliably do what you want. Here are a few considerations.

Your iptables rules block filter traffic based on IP addresses and ports. Facebook presents multiple IP addresses, and may change those IP addresses from time to time.

Your users can always use an open proxy to access Facebook, bypassing limitations based on IP address.

You should enact a corporate policy governing the use of internet access at the workplace and specify what usage is regarded as appropriate or inappropriate.

You can gain some control if you're managing your company's DNS servers, which would enable you to redefine the IP address of facebook.com for your users. There are some decent firewalls and services that provide categorization (Fortinet Fortigate-60, OpenDNS, BlueCoat, etc.). You also might try a proxy like Squid to do such filtering if you're looking for a free solution on existing equipment.

Came here to suggest OpenDNS and corporate policy. Emphasis on policy. Otherwise you're just making it difficult for them. If you set concrete repercussions, then they'll be playing with fire(d).
–
Belmin FernandezDec 26 '11 at 7:38